Anyone who has had their Android smartphone infected with malware will be interested in following the ACLU’s new efforts to better secure your device.

The ACLU has filed a formal complaint with the Federal Trade Commission, asking the agency to force the four biggest mobile carriers (AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA) to begin providing Google-released security updates to their Android users.

Presently, wireless carriers decide arbitrarily whether or not they’ll provide these security updates to their customers. The ACLU warns that “there is no legitimate software upgrade path” for the Android customer, beyond having it provided by the carrier. And without these important security patches, customers risk being hacked — their phones remotely hijacked, their personal and private data stolen, their money fleeced from their online bank accounts.

The ACLU’s Principal Technologist and Senior Policy Analyst, Christopher Soghoian, wrote in the document filed with the FTC:

All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices. […]

The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials.

The ACLU contends that these failures “constitute deceptive and unfair business practices subject to review by the FTC under section 5 of The Federal Trade Commission Act.” If the carriers refuse to provide important security updates, the ACLU states, then the “FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will.”

JUST HOW BIG IS THIS PROBLEM?

Google’s Android operating system accounts for 75% of the entire smartphone market. This overwhelming dominance has helped make it a prime target for ‘black-hat’ hackers, who exploit vulnerabilities for nefarious, often criminal, purposes. Security company Kaspersky revealed in its Security Bulletin 2012 that “99% of newly discovered mobile malicious programs target the Android platform.” The monthly discovery rate for Android malware has skyrocketed from 8 per month in January 2011 to 800 per month by year end 2011 to a staggering 6,300 per month by year end 2012.

And despite Android’s exploding malware epidemic, only 2% of all Android users have received the latest Google security update from their carriers. Most of them never will.

Ars Technica’s Casey Johnston investigated the roll-out of security updates by manufacturers and wireless carriers. Her article charts the time in months between Google’s update release against the date it was applied to each smartphone. Some phones, she discovered, “never received updates during their lifetime.” She added that “all [the] phones we looked at had Android updates available to them within a reasonable time frame relative to the handset’s release, but the carrier or manufacturer never got around to pushing one out.”

She also found that all the carriers continue to sell phones which they have already ‘orphaned’ — meaning the carrier has no intentions of ever providing a security update to the phone, even if the update is vital for patching a severe vulnerability. The ACLU contends that the carriers have a duty to inform the customer of the severe security risks inherent in these ‘orphaned’ phones, before they purchase them.

For those in the market for a new Android smartphone, but who cannot wait for the ACLU’s efforts to pan out, there is only one Android smartphone guaranteed to receive timely security updates: Nexus. This is Google’s own Android smartphone. Google partners with others (Samsung, HTC, LG, etc) to design and manufacture the Nexus line, but allows all Nexus owners to bypass their carriers, and receive ALL their Android updates directly from Google.

Mat Honan wrote a harrowing piece recently in Wired Magazine called “Kill the Password: Why a String of Characters Can’t Protect Us Anymore.” In it he described how having had a single password stolen from him by a young hacker literally turned his life upside down:

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Security companies have long striven to devise that killer app to provide an iron-clad fortress around our passwords. Password Managers are the much-hyped internet security apps of the moment, and security giants like Symantic (Norton) and Kaspersky have jumped the bandwagon with their own variations on this model.

Here is how Neil Rubenking of PC Mag describes the core functionality of these apps:

When you log in to a secure site, your password manager captures the username and password; when you revisit that site, it offers to fill in the saved credentials. That, at its most basic, is the function of a password manager.

Many of these applications require that you manually enter each of your user names and unique passwords into their application. Because you will never have to remember them again, you can make each one of them as complex as possible, such as 20+ digit hodgepodge strings of letter/number/symbol combinations. Some of these security companies will even encrypt them locally on your PC, so that when they are stored up on the cloud not even an odd rogue employee in their ranks will be able to figure them out.

And most significantly, since they will be automatically filled in by the Password Manager, a malicious keyboard logger will be unable to hijack all these unique passwords from you.

Iron clad security!

So how will you be accessing this Password Manager so that it can begin to log you into ALL your online accounts with these highly uncrackable passwords?

Oh right, you’ll need to come up with a single password that you can remember to log into your Password Manager. Hopefully this SINGLE memorable password won’t get picked up by a malicious keyboard logger, or somehow cracked by a malicious hacker. Because if that were to happen, he would gain instant access to EVERY SINGLE ACCOUNT YOU HAVE.

The entire logic behind this idea is fatally flawed. It is akin to using the same password for all of your many accounts — something every security professional warns you against doing.